Procedures
Ingress Tool Transfer
UNC1945 is an advanced persistent threat (APT) group that targets financial and professional consulting industries through managed service providers. One notable example of their ingress tool transfer involved the exploitation of a vulnerability in Oracle Solaris (CVE-2020-14871). After gaining initial access to Solaris servers, they installed a backdoor known as SLAPSTICK, which allowed them to transfer various tools and establish a foothold. They also used custom QEMU virtual machines pre-loaded with post-exploitation tools stored in volatile memory.
TeamTNT has primarily targeted cloud and containerized environments, focusing on exploiting these resources for cryptocurrency mining. This group is well-known for its use of open-source tools and custom scripts to transfer malicious payloads. TeamTNT employs the
curlandwgetcommands to download new tools and malware. They have been observed transferring malicious Docker images to Docker Hub and using SSH to connect back to victim machines, transferring tools and payloads onto these hosts.CARBANAK, also known as FIN7, is a highly skilled cybercrime group known for targeting financial institutions and other high-value targets. During a specific intrusion attack, they exploited the Apache Struts vulnerability (CVE-2017-5638) to gain administrative access to a Linux environment. This initial access allowed them to use tools like Auditunnel for both ingress (i.e., importing tools like Winexe, TINYP, and PSCAN). These tools were used for lateral movement within the compromised environment. Notably, they transferred these tools via secure pathways such as SCP for Linux and PSCP for Windows, ensuring the tools reached different victim systems efficiently while minimizing detection risks.
Application Layer Protocol: Web Protocols
Lazarus Group: Lazarus Group is a North Korean cyber espionage group known for targeting financial institutions and critical infrastructure. They use web protocols by hosting their command and control (C2) servers on compromised legitimate websites. These servers communicate with the malware via HTTP and HTTPS, enabling the attackers to execute commands, upload additional files, and exfiltrate data. By leveraging legitimate web traffic, they effectively mask their C2 communications within normal internet activity. Lazarus often uses multiple web servers and endpoints at various stages of an attack to maintain persistence and evade detection.
APT10 (Red Apollo): APT10, also known as menuPass, is a Chinese cyber espionage group that targets managed IT service providers (MSPs) and their clients. They employ web protocols for C2 by using dynamic-DNS domains heavily interconnected to direct traffic to their C2 servers. These domains facilitate the remote execution of commands and data exfiltration over HTTP/HTTPS. APT10's strategy of using dynamic DNS helps them maintain operational flexibility and resilience against takedowns. The group's reliance on web protocols allows them to blend C2 traffic with legitimate web activity, complicating detection efforts.
Emotet: Emotet is a sophisticated banking trojan-turned-botnet used in various cybercrime campaigns. Emotet uses web protocols by sending HTTP GET and POST requests to its C2 servers for data exfiltration and receiving new commands. The malware ensures that connections are established successfully before proceeding with data exfiltration, making use of standard web traffic to disguise its malicious activities. Emotet’s communication through encrypted channels over standard web ports adds another layer of obfuscation, making detection and mitigation more challenging for security teams.
APT28 (Fancy Bear): APT28, also known as Fancy Bear, is a Russian cyber espionage group. They use web protocols in their C2 infrastructure by setting up HTTPS servers to handle encrypted communications with their malware. This approach ensures that their C2 traffic is hidden within encrypted web traffic, making it difficult for network defenders to differentiate between legitimate and malicious activity. APT28’s use of the Delphi programming language for malware development and their geographically dispersed C2 infrastructure further enhances their operational security and persistence.
Operation Tripoli: This campaign targets individuals in Libya and other regions using social engineering via Facebook. The attackers distribute malware through malicious links that lead to fake updates of popular apps. Once installed, the malware communicates with C2 servers using HTTP POST requests, allowing the attackers to execute commands and exfiltrate data. The use of legitimate social media platforms for distribution and standard web protocols for C2 communication helps the attackers evade detection and maintain a persistent presence on infected devices.
Pawn Storm (APT28): Pawn Storm, also known as Fancy Bear, uses web protocols by abusing compromised email addresses to send phishing emails containing malicious links. These links lead to fake login pages that capture user credentials and establish C2 communication via HTTPS. The group scans for vulnerable servers, using web protocols to identify and exploit them. Their extensive use of web protocols for C2 communication and credential theft demonstrates their ability to leverage common internet infrastructure for sophisticated cyber espionage activities.
Encrypted Channel: Symmetric Cryptography
Vyveva: Vyveva is a malware associated with the Lazarus Group, known for targeting government and financial institutions. This malware uses symmetric cryptography for encrypted channels, specifically employing XOR for encryption. Vyveva's configuration data is encrypted in memory and on disk, and the communication with command and control (C2) servers is also encrypted using Microsoft's Secure Channel (Schannel) for TLS/SSL. The malware uses multiple C2 servers and ports to evade detection and ensure redundancy. Its persistence mechanisms include creating Windows services and modifying the registry to auto-execute upon login. Vyveva's sophisticated techniques, such as dynamic configuration management and multiple encryption layers, underscore its resilience against detection and analysis.
Emotet: Emotet is a highly modular banking Trojan that has evolved into a full-fledged botnet involved in various cybercrime activities. It uses symmetric cryptography to encrypt its C2 communications. Emotet's payloads send encrypted HTTP GET and POST requests to communicate with C2 servers, ensuring that the traffic blends in with normal web traffic. The malware’s configuration data is typically RC4-encrypted, complicating analysis and interception. Emotet’s C2 infrastructure is designed to be resilient, using multiple servers and dynamically updating URLs to evade takedown efforts. This approach allows it to maintain persistent and stealthy operations across infected networks.
Zebrocy: Zebrocy is a subgroup of APT28 (Fancy Bear), which uses various malware families for espionage. Zebrocy employs symmetric cryptography to secure its C2 communications. The malware typically sends HTTP requests with encrypted data in the headers or cookies, using algorithms like RC4 for encryption. This ensures that the communication is secure and less likely to be detected by standard network monitoring tools. Zebrocy’s infection chain includes the use of spear-phishing emails and malicious document attachments that execute payloads, establishing a foothold and allowing for further data exfiltration via encrypted channels. The encrypted data is often related to system information and user activities, which are critical for the attackers’ intelligence gathering.
APT10 (Red Apollo): APT10, also known as menuPass, is a Chinese cyber espionage group targeting IT service providers. The group uses symmetric encryption to protect the integrity of their C2 communications. For instance, in Operation Cloud Hopper, APT10 employed the Trochilus malware, which used RC4 and Salsa20 ciphers for encrypting C2 traffic. This encrypted communication is crucial for maintaining the secrecy and security of their operations, allowing them to exfiltrate sensitive data from numerous global organizations without detection. APT10’s ability to infiltrate MSPs and leverage these connections to reach their clients illustrates their sophisticated use of encryption in C2 channels.
DePriMon: DePriMon is a sophisticated loader used by the Turla group, known for its cyber espionage activities. This malware utilizes AES-256 encryption for various purposes, including securing C2 communications. DePriMon's C2 traffic is encrypted using SSL/TLS, and it establishes authenticated sessions using Windows Security Support Provider Interface (SSPI). This ensures that all data transmitted between the infected system and the C2 server is secure and difficult to intercept. The malware also uses encrypted configuration files and obfuscates its presence by utilizing multiple C2 servers and ports, which helps it evade detection and maintain persistent access to the targeted systems.
ChChes: ChChes is a backdoor used by various threat actors, including APT10, for cyber espionage. It uses symmetric cryptography for encrypting C2 communications, typically employing RC4 with keys derived from MD5 hashes. ChChes sends encrypted data via HTTP requests, embedding this data within cookies or other header fields. This encryption ensures that the malware's activities remain hidden within normal web traffic, complicating detection efforts. ChChes can load additional modules from its C2 server, expanding its capabilities while maintaining encrypted communication to prevent interception and analysis of its traffic.
Data Encoding: Standard Encoding
Lazarus Group: Lazarus Group is a North Korean cyber espionage group known for targeting financial institutions and critical infrastructure. They use base64 encoding to obfuscate their command and control (C2) traffic, ensuring that their communications blend in with regular network traffic. This encoding method helps to mask the true intent of the data being transmitted, making it more challenging for network security tools to detect and analyze the malicious traffic. Lazarus often combines base64 encoding with other obfuscation techniques, such as embedding encoded data within legitimate-looking HTTP requests, to further evade detection. Their use of standard encoding is a key part of their strategy to maintain persistence and avoid triggering security alerts.
TA416 (Mustang Panda): TA416 is a Chinese APT group that uses base64 encoding in their reconnaissance campaigns. They employ web bugs that use base64 encoding to track targets before deploying their main payloads. The encoded URLs in these web bugs contain specific tracking information about the targets, allowing the group to profile victims and improve the precision of subsequent attacks. This method of using base64 encoding to disguise the data ensures that the initial reconnaissance phase remains covert, minimizing the chance of early detection and increasing the likelihood of a successful full attack.
LuoYu: The LuoYu group, active since 2014 and targeting Korean and Japanese organizations, uses base64 encoding to encode the configuration files of their WinDealer malware. This encoded data is stored on the infected systems and helps manage the communication with their C2 servers. By using base64 encoding, they ensure that the configuration data is not easily readable by anyone inspecting the files, thereby hiding the malware's configuration details from security analysts and delaying the detection and analysis of their operations.
Ghostwriter (UNC1151): Ghostwriter is a group associated with influence campaigns and cyber espionage, believed to be aligned with Belarusian interests. They utilize base64 encoding to encode command and control URLs and other key strings within their malware. This encoding helps to obscure the true nature of the URLs and data, allowing them to evade detection by security tools that might flag unencoded or plainly visible malicious URLs. This technique is part of a broader strategy to maintain operational security and ensure that their campaigns can proceed without interruption.
Attor: Attor is a sophisticated cyber espionage platform targeting diplomatic and governmental institutions, particularly in Eastern Europe. The malware uses base64 encoding to manage its command and control communications, ensuring that the transmitted data appears less suspicious and is harder to analyze. This encoding is combined with other obfuscation techniques to hide the data being sent to and from the C2 servers, making it more challenging for defenders to intercept and understand the malicious communications. Attor's use of base64 encoding highlights its focus on stealth and persistence in high-value targets.
DMSniff: DMSniff is a point-of-sale (POS) malware that targets small- and medium-sized businesses. It uses base64 encoding to hide its strings and obfuscate the data being sent to its C2 servers. By encoding its communication data, DMSniff ensures that the information it transmits, including stolen credit card data, is not easily readable by anyone who intercepts the traffic. This method helps the malware avoid detection and analysis, allowing it to operate covertly and effectively within compromised environments.
Non-Application Layer Protocol
Bvp47 (Equation Group): Bvp47 is an advanced backdoor linked to the Equation Group, which targets Linux systems. This malware uses the Berkeley Packet Filter (BPF) to create a covert communication channel within the Linux kernel. By processing only packets that meet specific BPF rules, Bvp47 ensures that its communication remains hidden from standard network monitoring tools. The use of BPF allows the malware to operate below the application layer, providing a stealthy method to send and receive commands without detection. This technique enables long-term control over compromised systems by avoiding traditional security mechanisms and network defenses.
Industroyer2 (Sandworm Group): Industroyer2 is a piece of malware designed by the Sandworm group to target electrical substations. It exploits the IEC 60870-5-104 protocol for communication, a non-application layer protocol used in industrial control systems. Industroyer2 initiates communication by sending specific APDU frames, including Test Frame (TESTFR) and Start Data Transfer (STARTDT) commands, to manipulate electrical station controls. This method allows the malware to directly interact with the control systems of electrical substations, causing disruptions in critical infrastructure without being detected by application-layer security tools.
LightBasin (UNC1945): LightBasin targets telecommunications companies using advanced techniques, including SGSN emulation for C2 traffic. They emulate Serving GPRS Support Node (SGSN) software to tunnel C2 traffic through the GPRS network, which operates at a lower network layer. This method blends malicious traffic with legitimate telecommunications traffic, making it difficult to detect. By using protocols native to the telecom infrastructure, LightBasin maintains covert communication channels that are resilient to typical security measures employed at higher layers of the network stack.
RedXOR (Winnti Group): RedXOR is a sophisticated Linux backdoor attributed to the Winnti Group, which uses XOR encoding for its network data. This malware communicates with its C2 servers using raw TCP or UDP, bypassing application-layer protocols. The use of non-standard network communication methods helps RedXOR evade detection by traditional security tools that monitor application-layer traffic. By operating at a lower layer, RedXOR ensures that its presence remains hidden while maintaining robust and encrypted communication channels with its operators.
APT41 (Winnti Group): APT41 is known for its versatile and sophisticated cyber operations, including the use of raw TCP and UDP for C2 communications. Their malware, such as DEADEYE, employs multiple encryption layers and communicates over non-application layer protocols to avoid detection. This approach allows APT41 to maintain persistent and secure communication channels with infected systems, leveraging the lower network layers to bypass application-layer defenses and monitoring tools. The use of raw network protocols is part of APT41's broader strategy to ensure their operations remain covert and resilient.
Operation NightScout: This operation involved a supply-chain attack targeting a gaming community, leveraging non-application layer protocols for C2 communication. The attackers used raw TCP and UDP protocols, along with encrypted TCP connections, to transmit commands and exfiltrate data. By avoiding standard application-layer protocols, the attackers ensured that their C2 traffic blended in with regular network activity, reducing the likelihood of detection. The use of raw network protocols provided a stealthy and efficient method to control compromised systems and gather intelligence.
Encrypted Channel: Asymmetric Cryptography
Vyveva (Lazarus Group): Vyveva is a sophisticated backdoor used by the Lazarus Group, known for targeting government and financial institutions. It uses asymmetric encryption for its command and control (C2) communications via the Tor network, ensuring the traffic remains anonymized and secure. The malware encrypts its C2 communication using RSA for key exchange and uses symmetric cryptography (XOR) for the actual data transmission. This dual-layer encryption ensures that even if the traffic is intercepted, it remains indecipherable without the private keys. Vyveva's C2 commands include file exfiltration, system information gathering, and executing arbitrary code, all managed securely through the Tor network to avoid detection. The persistence mechanisms include creating Windows services and storing configuration data encrypted in the registry.
Bvp47 (Equation Group): Bvp47 is a sophisticated backdoor linked to the Equation Group, targeting Linux systems. This malware employs RSA and RC-X algorithms to secure its C2 channels, ensuring that the communication remains encrypted and secure. The use of asymmetric encryption (RSA) for initial key exchange, followed by symmetric encryption for data transmission, guarantees that the traffic cannot be easily intercepted or decrypted without the private key. Bvp47's sophisticated techniques include kernel hooking and using Berkeley Packet Filter (BPF) to create covert channels within the Linux kernel, making detection extremely difficult. This combination of advanced encryption and covert communication channels exemplifies the Equation Group's capability to maintain long-term control over compromised systems.
ChChes (APT10): ChChes is a lightweight backdoor used by APT10 (menuPass) in their cyber espionage campaigns. It uses asymmetric encryption for securing its C2 communications, embedding encrypted data within HTTP headers. The backdoor uses RSA for initial key exchange to establish a secure channel, then employs symmetric encryption for the actual data transfer. This method ensures that even if the communication is intercepted, the content remains secure and undecipherable without the corresponding private keys. ChChes can load additional modules from its C2 server, allowing it to expand its functionality dynamically while maintaining secure communication channels. The use of legitimate code-signing certificates further complicates detection efforts, as the signed malware appears legitimate to many security solutions.
Industroyer2 (Sandworm Group): Industroyer2 is a malware variant used by the Sandworm group to target industrial control systems (ICS). It leverages the IEC 60870-5-104 protocol for communication, integrating RSA encryption to secure the C2 channels. This ensures that commands sent to and from the C2 servers are encrypted, making interception and decoding extremely difficult without the private keys. Industroyer2’s use of asymmetric encryption for key exchange, coupled with symmetric encryption for data transmission, enables secure and resilient communication channels crucial for their operations against critical infrastructure. The malware is designed to manipulate electrical substation controls, demonstrating the high stakes and sophistication involved in their operations.
DePriMon (Turla Group): DePriMon is an advanced backdoor used by the Turla group for cyber espionage. It employs AES-256 for encryption, but its C2 communication is established using asymmetric encryption methods like RSA. This approach ensures a secure initial handshake, creating a trusted channel for subsequent encrypted communications using symmetric encryption. DePriMon’s ability to use Schannel for TLS/SSL communication adds an additional layer of security, making its traffic appear legitimate and difficult to intercept. The malware's configuration data, both in memory and on disk, is encrypted, reflecting its comprehensive approach to maintaining operational security and persistence.
Cyclops Blink (Sandworm): Cyclops Blink is a sophisticated botnet malware attributed to the Sandworm group, primarily targeting network devices such as ASUS routers. It employs RSA-2560 for securing its C2 communications, ensuring that the traffic is encrypted and cannot be easily intercepted or deciphered without the private keys. The use of asymmetric encryption for initial key exchange and symmetric encryption for ongoing data transmission provides a robust security framework for its communications. Cyclops Blink’s ability to modify router firmware for persistence and its distributed C2 infrastructure make it a resilient and stealthy threat. This malware blends its encrypted C2 traffic with regular HTTPS traffic, further complicating detection efforts.
Application Layer Protocol: DNS
Calypso APT: Calypso is an APT group known for targeting governmental institutions to steal confidential data. This group uses DNS communication channels to manage command and control (C2) operations. The malware initiates DNS queries to receive commands, with responses containing command IDs and sizes. Results of executed commands are then sent back through multiple DNS requests. The group also engages in DNS redirection by compromising nameservers and redirecting legitimate domains to attacker-controlled IPs, thereby intercepting sensitive communications and harvesting credentials. Their use of DNS tunneling highlights a sophisticated method to covertly manage C2 traffic while evading traditional detection mechanisms.
DarkHydrus: DarkHydrus is known for its targeted attacks on Middle Eastern governmental entities. They use DNS tunneling as a method for command and control communication. The group's malware first resolves the C2 server's domain using specific name servers and then establishes covert communication channels by modifying NS records of domains. This technique allows the malware to send DNS queries to attacker-controlled servers to establish communication, which is particularly effective since DNS traffic is commonly allowed through network firewalls. This method of using DNS tunneling helps the group maintain persistent access and evade detection by conventional security tools.
MuddyWater: MuddyWater is an active threat actor targeting organizations across the Middle East and Central Asia. They utilize DNS tunneling for command and control operations, embedding their C2 communications within DNS queries. This technique involves sending DNS queries to attacker-controlled servers, which then respond with encoded commands. The malware executes these commands and sends the results back via DNS responses. By using DNS tunneling, MuddyWater effectively disguises their C2 traffic as legitimate DNS activity, making it harder for traditional security solutions to detect their presence.
Buhtrap: Buhtrap, initially focused on financial crime, has shifted to espionage activities, incorporating DNS tunneling into their C2 strategy. They use DNS queries to transmit data and receive commands from their C2 servers, embedding encoded information within DNS requests and responses. This allows them to bypass traditional network security measures that monitor for HTTP or HTTPS traffic. Buhtrap’s use of DNS for C2 highlights their capability to adapt sophisticated techniques to evade detection and maintain long-term access to compromised systems.
APT15 (Ke3chang): APT15, also known as Ke3chang, uses DNS-based command and control methods to manage their malware, RoyalDNS. This backdoor communicates with its C2 servers using DNS TXT records, which allows it to bypass many security measures focused on HTTP/HTTPS traffic. By embedding commands within DNS responses, APT15 can maintain a covert channel for sending instructions and receiving data without raising suspicion. This method ensures that their C2 traffic blends in with normal DNS traffic, making it difficult to detect and analyze.
OilRig: OilRig is a cyber espionage group targeting organizations in the Middle East. They employ DNS tunneling for C2 communications, where the malware encodes data within DNS queries to exfiltrate information and receive commands. This method involves the malware creating unique GUIDs sent in DNS queries, with the C2 server responding via encoded IPv6 addresses. This sophisticated use of DNS tunneling ensures that their C2 traffic is hidden within regular DNS traffic, evading many traditional network defenses and monitoring tools.
Web Service: Bidirectional Communication
ToddyCat APT Group: ToddyCat is a relatively new APT actor identified in December 2020, targeting high-profile entities in Europe and Asia. They use sophisticated and stealthy techniques, leveraging unique malware tools like the Samurai backdoor and the Ninja Trojan. The Samurai backdoor works primarily over HTTP/HTTPS, capable of executing arbitrary C# code via the .NET HTTPListener class to handle specially crafted HTTP POST requests carrying encrypted C# source code. This setup allows the attackers to send and receive commands stealthily within legitimate web traffic. The Ninja Trojan, deployed by the Samurai backdoor, features deep system control functionalities like process enumeration, file management, reverse shell sessions, code injection, and proxy capabilities. These malware components can camouflage malicious traffic within legitimate-looking HTTP and HTTPS requests, ensuring persistence and stealth .
SectorA05: SectorA05 targets government officials, cryptocurrency exchanges, developers, and regular users, aiming to steal cryptocurrency wallets and private keys. Their operation involves using phishing, custom malware, and dynamic C2 infrastructure. They employ standard application layer protocols and web services for command and control, compressing and exfiltrating data over these channels. The group’s techniques include the use of phishing to deliver malware, which then automates data collection and exfiltration processes to maintain a low profile. Their sophisticated and persistent cyber threat poses significant risks to both governmental and private sectors .
BlackTech (Gh0stTimes): BlackTech is known for targeting Japanese organizations since 2018, using a customized version of Gh0st RAT called Gh0stTimes. Gh0stTimes communicates with C2 servers using a custom protocol with a distinct packet format, involving authentication and encrypted communication. Commands are exchanged in an RC4-encrypted and zlib-compressed format. The malware sends authentication data to the C2 server to establish a secure session, after which it transmits system information and executes received commands. This setup ensures that communication remains encrypted and compressed, blending with legitimate web traffic to evade detection .
Operation Sheep: Uncovered by Check Point Research, Operation Sheep involved Android applications covertly harvesting contact information from mobile phones using an SDK named SWAnalytics. The SDK facilitated data harvesting by silently uploading users' contact lists to servers controlled by the attackers whenever the infected applications were opened or the device was rebooted. The SDK periodically fetched configuration files from a remote C2 server to update its data collection parameters. To secure data transmission, SWAnalytics employed double DES encryption. This method ensured bidirectional communication between the malware and the C2 server, effectively disguising malicious activity within legitimate app functionalities .
BoxCaon (IndigoZebra): IndigoZebra employs the BoxCaon backdoor, which uses Dropbox as its C2 server, leveraging legitimate cloud storage to mask malicious traffic and evade detection. BoxCaon creates a unique folder in an attacker-controlled Dropbox account named after the victim’s MAC address, using this folder to upload execution paths and local working folder paths. Commands are sent through this Dropbox folder, which the malware retrieves and executes, uploading results back to Dropbox. This method allows attackers to communicate with compromised systems through legitimate web services, making their activities harder to detect .
Moriya (TunnelSnake): The Moriya rootkit is used by an unidentified threat group, creating a passive backdoor by inspecting all incoming traffic to the infected machine and filtering out specific packets designated for the malware. This enables covert C2 communication without initiating outbound connections. Moriya's service installation ensures it starts automatically with the system, and it establishes a reverse shell session by injecting its DLL into legitimate processes. This setup provides a bidirectional communication channel that is hidden from standard monitoring tools, enabling stealthy data exfiltration and command execution .
Fallback Channels
UNC1945: UNC1945 is a cyber espionage group targeting legacy systems in financial institutions. They employ fallback channels by using a secondary command and control (C2) domain that activates if the primary domain is blocked. This ensures continued communication with their malware, even if the primary channel is compromised. They use custom backdoors and implants, such as the TinyShell backdoor, which facilitate remote control and data exfiltration. Their toolkit includes network manipulation tools and techniques to blend malicious activities with legitimate network traffic, making detection difficult. The sophisticated modular environment they use enables long-term, stealthy operations.
Chafer APT Group (APT39): The Chafer group is known for targeting organizations in the Middle East for surveillance and information gathering. They use fallback channels by establishing multiple C2 pathways, ensuring persistent access even if one channel is disrupted. Their techniques include using HTTP tunneling tools like GNU HTTPTunnel and reverse SSH sessions to maintain communication with compromised systems. These methods allow them to bypass network defenses and firewalls. They also employ custom domains and proxies to obfuscate their C2 infrastructure. The use of fallback channels demonstrates their strategic approach to maintaining resilience in their operations .
PipeMon (Winnti Group): PipeMon is a modular backdoor used by the Winnti Group, leveraging fallback mechanisms to ensure continued control. The updated version of PipeMon includes a fallback channel that switches to a secondary C2 domain after a specific date, maintaining communication even if the primary domain is blocked. The malware uses a custom command and control protocol over TLS, providing encrypted and secure channels for data transmission. This approach ensures that the communication remains hidden and resilient against network disruptions. The use of encrypted communication and fallback channels highlights the group's advanced capabilities .
APT28 (Pawn Storm): APT28, also known as Fancy Bear, uses sophisticated multi-stage attack techniques, including fallback channels for C2 communication. They conduct large-scale server scanning and use compromised email accounts for phishing. If their primary C2 servers are detected and blocked, they switch to alternative servers to maintain control over their operations. This method ensures that their campaigns continue without interruption, even when defensive measures are implemented. Their ability to quickly adapt to changing network environments showcases their operational flexibility and persistence.
IndigoZebra: IndigoZebra employs the BoxCaon backdoor, which uses Dropbox for C2 communication. As a fallback, they also have an HTTP variant of the backdoor that communicates with C2 servers via HTTP POST requests. This dual-channel approach ensures that if one method is disrupted, the other can maintain the communication link. The use of legitimate web services like Dropbox for C2 operations helps them evade detection and minimize abnormal network traffic. This strategy highlights their use of legitimate infrastructure to mask malicious activities and maintain persistent access .
SolarMarker: SolarMarker is a malware campaign that employs fallback channels by using various trusted hosting platforms and dynamic redirection paths. They initially lure victims through search engine optimization (SEO) poisoning and deliver malware through decoy applications. If the primary C2 path is blocked, the malware uses alternative redirection paths to ensure continued communication. This method allows them to adapt quickly to defensive measures and maintain the effectiveness of their campaign. The use of fallback channels and dynamic infrastructure showcases their ability to evade detection and persist in targeted environments .
Non-Standard Port
APT41 (Winnti Group): APT41 is known for its versatile and sophisticated cyber operations, including the use of non-standard ports for command and control (C2) communications. Their malware, such as the DEADEYE and POISONPLUG backdoors, typically communicates over ports that are not commonly used for web traffic. For instance, DEADEYE uses port 5005 for C2 communication, disguising its traffic to avoid detection. This method involves embedding commands within HTTP requests over non-standard ports, ensuring that the malware's activities are less likely to be detected by standard security measures. Additionally, APT41 employs multiple layers of encryption and obfuscation, making it difficult for network security tools to identify the malicious traffic. This approach allows APT41 to maintain persistent and stealthy control over compromised systems.
Industroyer2 (Sandworm Group): Industroyer2 is a malware variant used by the Sandworm group to target industrial control systems (ICS). It leverages the IEC 60870-5-104 protocol over non-standard ports to communicate with C2 servers. The malware sends commands through port 2404, a port typically associated with the IEC-104 protocol for electrical substation communication. By using this non-standard port, Industroyer2 ensures that its traffic blends with legitimate ICS communications, making it difficult to detect and block. This method highlights the group's deep understanding of ICS protocols and their ability to exploit these for malicious purposes.
TRITON (Xenotime): TRITON malware, attributed to the Xenotime group, targets safety instrumented systems (SIS) in industrial environments. The malware communicates with its C2 servers using the TriStation protocol over UDP port 1502. This non-standard port is specific to Triconex SIS controllers, making the malicious traffic blend with normal operational data. The attackers reverse-engineered the proprietary TriStation protocol to develop TRITON, enabling them to send commands that can manipulate the safety controls of critical infrastructure. This approach demonstrates the attackers' technical sophistication and their ability to use non-standard ports to maintain stealthy and effective control over targeted systems.
APT29 (Cozy Bear): APT29, also known as Cozy Bear, is a Russian cyber espionage group that uses non-standard ports for their C2 operations. Their malware often communicates over high-numbered ports that are not typically monitored by standard security tools. For example, they have used ports in the range of 8000-9000 to send encrypted data back to their C2 servers. By using these less commonly monitored ports, APT29 can bypass network security measures that focus on more commonly used ports like 80 (HTTP) and 443 (HTTPS). This tactic helps them evade detection and maintain persistent access to compromised networks.
Cobalt Group: The Cobalt Group, known for targeting financial institutions, employs non-standard ports to manage their C2 communications. Their malware often uses ports such as 2222 and 5555 to communicate with C2 servers. By avoiding standard ports, the Cobalt Group can bypass firewall rules and intrusion detection systems that primarily focus on monitoring common ports. This technique ensures that their C2 traffic remains undetected while they execute commands and exfiltrate data from compromised systems. The use of non-standard ports is part of their broader strategy to maintain stealthy and persistent access to their targets.
FIN7 (Carbanak): FIN7, also known as Carbanak, is a cybercriminal group known for targeting the financial sector. They use non-standard ports for their C2 operations to evade detection. For instance, their malware may use ports like 1337 or 8081 to communicate with C2 servers. This approach helps them blend their malicious traffic with legitimate network activity, reducing the likelihood of being detected by security tools. By leveraging non-standard ports, FIN7 can effectively manage their operations, including executing commands, stealing data, and deploying additional malware, while avoiding detection.
Web Service
China Chopper: China Chopper is a web shell that has remained active and relevant for many years, used by various threat groups. The tool allows attackers to maintain access to compromised systems by inserting minimal server-side code into a target website, often just a single line. This code enables communication with the attacker via HTTP POST requests, which the client application uses to control the target system. Functions include a virtual terminal, file manager, database manager, and a vulnerability scanner. Attackers use commands to compress, archive, and exfiltrate documents periodically. This minimalistic approach and use of standard web protocols help the web shell evade detection and maintain persistent access .
Mustang Panda (RedDelta): Mustang Panda, an APT group primarily targeting organizations in Asia, uses web services extensively for C2 communications. They often use Google Drive, Dropbox, and similar platforms to host malicious payloads and facilitate C2 operations. This method helps the group evade traditional network security measures by blending malicious traffic with legitimate web traffic. They employ spear-phishing campaigns to deliver initial payloads, which then communicate with the C2 server via HTTP or HTTPS. The use of legitimate services for hosting and communication increases the difficulty of detecting and blocking their activities .
Blue Mockingbird: Blue Mockingbird is known for deploying Monero cryptocurrency-mining payloads on Windows machines. They gain initial access by exploiting public-facing web applications, particularly those using Telerik UI for ASP.NET AJAX. Once inside, they use DLL payloads executed through rundll32.exe or regsvr32.exe and maintain persistence via COR_PROFILER hijacking. This technique involves modifying the Windows Registry to ensure the malicious DLL executes whenever the .NET Common Language Runtime is loaded. They utilize scheduled tasks to execute the miner DLL and blend these tasks with legitimate ones to avoid detection, ensuring steady communication with the C2 server through web services .
Lebanese Cedar (Volatile Cedar): Lebanese Cedar is an APT group involved in cyber-espionage, targeting sectors like telecommunications and IT. They use custom-developed web shells, such as the "Caterpillar" WebShell, for C2 operations. This web shell supports functionalities like file manipulation, command execution, and further malware deployment via HTTP requests. The modular design of their web shell allows them to adapt and expand their capabilities while maintaining stealth. This method provides a robust and flexible C2 channel that leverages standard web protocols to evade detection .
BRONZE VINEWOOD: This group uses Dropbox for C2 communications, leveraging the cloud storage service to mask malicious traffic. They deploy the DropboxAES RAT, which encrypts communications with the ChaCha20 algorithm and uses Dropbox to send and receive commands. This approach ensures that C2 traffic is concealed within legitimate cloud service traffic, making it difficult to detect and block. The group also uses other legitimate platforms like GitHub to host payloads and issue commands, further blending malicious activities with normal web traffic .
OilRig (Greenbug): The OilRig campaign, linked to the Greenbug threat group, uses sophisticated web-based C2 techniques. They deploy ISMDoor and its variant ISMAgent, which communicate with C2 servers via both HTTP requests and DNS tunneling. ISMAgent prioritizes HTTP for C2 communication, switching to DNS tunneling if HTTP fails, ensuring reliable communication with the C2 server. This redundancy and use of standard web protocols enable the malware to maintain persistent communication channels, facilitating data exfiltration and command execution while evading traditional security measures .
Proxy: External Proxy
Seedworm (MuddyWater) is a cyber espionage group known for targeting telecommunications organizations in North and East Africa. They use the MuddyC2Go framework for command and control, which automates connections to C&C servers, allowing remote access without manual intervention. This framework replaces their previous PhonyC2 infrastructure. A custom-built tool named Venom Proxy is utilized for managing intranet nodes and proxying network traffic, effectively obscuring the malicious activity from standard network defenses. The attackers also employ the Revsocks tool, a SOCKS5 proxy server, to create reverse tunnels, further enabling covert communication. Tools like SimpleHelp and AnyDesk provide additional remote access capabilities, facilitating persistent and stealthy control over compromised systems. Heavy use of PowerShell scripts is observed to execute commands and download additional payloads, enhancing their ability to maneuver within the targeted network.
LightBasin is a sophisticated threat group targeting telecommunications companies. For their command and control, they employ SGSN emulation software along with the TinyShell backdoor, tunneling C2 traffic through the GPRS network. This setup allows them to blend malicious traffic with legitimate telecommunications traffic, reducing detection chances. They also utilize Fast Reverse Proxy and Microsocks Proxy, open-source utilities that create reverse and SOCKS5 proxies for internal network pivoting and external access. These tools enable the attackers to manage and reroute traffic through compromised systems securely. By operating within specific time windows, the group minimizes the risk of detection, maintaining a low profile by scheduling C2 traffic to run only for brief periods daily. Encrypted communication and native protocol usage further enhance their operational security.
Turla is a state-sponsored cyber espionage group known for targeting political organizations in Eastern Europe. They use a combination of fake Flash installers and Man-in-the-Middle (MitM) attacks to distribute their malware. For command and control, Turla's malware employs custom encryption algorithms based on the Blum Blum Shub pseudorandom number generator. This ensures that communication with C&C servers is encrypted, making it difficult for network security tools to intercept and analyze the traffic. The malware sends encrypted data through HTTP GET requests, structured to appear legitimate, facilitating stealthy communication with the C&C servers. Their use of named pipes for inter-process communication and storing configuration data in encrypted registry values adds layers of complexity to their command and control infrastructure.
Outlaw Group utilizes a Perl-based IRC bot, Shellbot, for command and control operations targeting IoT devices and Linux servers. Once a server is compromised, it is connected to an IRC bouncer hosted on a high-availability cluster, ensuring persistent control over the botnet. The payload is executed using Perl scripts, and the components are removed post-execution to avoid detection. Shellbot communicates with C&C servers via IRC, maintaining a persistent connection and automatically reconnecting if disrupted. This method allows for seamless command execution and data exfiltration, leveraging the IRC protocol's simplicity and reliability. The group uses a toolkit comprising various exploits and configuration files to perform DoS attacks and SSH brute force attacks, further enhancing their command and control capabilities.
TAG-38 (Threat Activity Group 38) is a likely Chinese state-sponsored group targeting the Indian power sector. They utilize the modular backdoor ShadowPad for command and control, which allows data exfiltration, lateral movement, and persistence within the network. TAG-38 uses compromised internet-facing DVR/IP camera devices as C2 servers, leveraging these poorly secured devices to control malware stealthily. They employ Fast Reverse Proxy (FRP) to expose local services behind NAT or firewall to the internet, facilitating remote access and control. This tool enables them to maintain covert communication channels into the targeted networks, ensuring persistent and stealthy control over the compromised systems.
Patchwork APT Group primarily targets organizations using spear-phishing campaigns. They utilize QuasarRAT for command and control, which beacons to hardcoded IP addresses or domains to report infections and receive commands. The malware creates scheduled tasks using a digitally signed .NET Task Scheduler Managed Wrapper to ensure persistence. It also employs scriptlets embedded in malicious RTF documents to execute initial payloads from temporary directories. QuasarRAT supports various remote commands, including file manipulation, process management, and system monitoring, enabling comprehensive control over the infected systems. The group uses legitimate-looking emails and documents to deliver malware, maintaining long-term access and control.
Dynamic Resolution: Domain Generation Algorithms
DarkHydrus is an adversary group primarily targeting entities in the Middle East. They use the RogueRobin Trojan for command and control, employing DNS tunneling to communicate with their C2 servers. This involves issuing DNS queries using various query types (TXT, SOA, MX, CNAME, SRV, A, and AAAA) to test and establish communication. The Trojan utilizes a PowerShell script to drop and execute its payload, which then connects to a Google domain as an anti-analysis measure. Additionally, the C# variant of RogueRobin can use Google Drive for C2 communications, uploading and downloading files via the Google Drive API. These techniques allow DarkHydrus to maintain covert communication channels and persistent control over compromised systems.
APT15 (Ke3chang) is a sophisticated APT group known for targeting government and military organizations. They use the RoyalDNS backdoor, which communicates with C2 servers using DNS TXT records, allowing them to bypass traditional network defenses. The malware achieves persistence through the 'Nwsapagent' service and uses batch scripts to create Windows run keys. This backdoor operates by issuing DNS queries to retrieve commands and exfiltrate data, blending malicious traffic with legitimate DNS activity. The use of DNS-based C2 communication makes it difficult for security tools to detect and block the malware. This technique demonstrates APT15's advanced capabilities in maintaining stealthy, long-term access to targeted networks.
WindShift targets macOS systems in the Middle East. They use a custom URL scheme to infect targets and move the malware to the /Users/user/Library/ directory to ensure execution. For C2 communication, the malware connects to encrypted C2 servers, using domains such as string2me.com and flux2key.com. These communications are decrypted to reveal commands and data exfiltration instructions. The malware's use of legitimate-looking icons and revoked code-signing certificates helps evade detection. WindShift's sophisticated backdoor capabilities enable remote command execution and data theft, making it a potent espionage tool.
SilverFish targets high-value entities, including governmental institutions and IT providers. They use domain generation algorithms (DGA) for their C2 infrastructure, dynamically creating domain names to avoid detection and takedown. The malware communicates with C2 servers using encrypted channels, often embedding commands within legitimate web traffic. This approach ensures persistent and covert communication, allowing the attackers to maintain control over compromised systems. The group's use of DGAs and encryption highlights their advanced operational security and adaptability in evading network defenses.
DRBControl is an APT targeting gambling and betting companies in Southeast Asia. They use spear-phishing emails with malicious DOCX attachments to deliver malware, which then uses Dropbox API for C2 communications. The malware gathers system information and uploads it to Dropbox, utilizing its services to receive commands and exfiltrate data. This technique helps blend malicious traffic with legitimate cloud service activity, reducing the likelihood of detection. By leveraging a well-known and trusted service like Dropbox, DRBControl effectively obscures their C2 communications and maintains persistent access to their targets.
SolarWinds Attackers (UNC2452/Dark Halo) exploited the SolarWinds Orion platform to deliver malicious updates, using domain generation algorithms (DGA) to dynamically resolve C2 domains. This technique enabled the attackers to adjust their infrastructure quickly in response to security efforts, maintaining their communication channels despite takedown attempts. The use of DGAs ensured that new domains could be generated on the fly, complicating efforts to block C2 traffic. This sophisticated method, combined with the attack's precision targeting, reflects the high level of operational security and strategic planning behind the campaign.
Last updated